Comment on Traefik Docker Lables: Common Practice

<- View Parent
lemmyvore@feddit.nl ⁨8⁩ ⁨months⁩ ago
  1. If a user types just a domain name in the browser bar (without adding http:// or https://) the browser will try https:// first. If it sees a HSTS header it will refuse to ever access that domain over http://, period, for as long as the header says (this applies to later visits too, the browser will remember that it must not use http://).
  2. If it’s the very first time the user visits your domain and they explicitly type http:// or follow a link that used http://, it depends. If they have a browser setting or addon that automatically upgrades http:// to https:// it will either put them in the first scenario silently, or issue a warning that asks them if they’re sure they want to proceed non-encrypted.
  3. If they get past all these safeguards and attempt to connect to your port 80, again it depends. If they manage to connect to your server it would help if there’s a redirect to https:// there but the damage has already been done…
  4. …because if their ISP (or your ISP, or their company, or the owner of that coffeeshop WiFi they’re using, or someone in their household etc. etc.) is hijacking HTTP connections, the visitor will never reach your port 80. The hijacker will connect to your 443 on their behalf and use their requests to port 80 to relay content pulled from 443, and eavesdrop on everything both ways, obtaining logins and other private info in the process.

So as you can see whether you maintain a redirect on 80 or not is not very important. Ideally your visitors should never attempt unencrypted connections at all. If they do and get hijacked your redirect will be irrelevant.

Redirects on 80 to 443 are relevant if your website is old and gets a significant amount of traffic from http:// links out there, which it cannot afford to miss.

source
Sort:hotnewtop